Which SIEM platforms have a T1078.001 detection rule?

df00tech provides T1078.001 (Default Accounts) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Default Accounts (T1078.001)?

Detecting Default Accounts requires the following data sources: Authentication: Authentication, Logon Session: Logon Session Creation, Process: Process Creation, Microsoft Defender for Endpoint, Windows Security Event Log.

What severity and confidence is the T1078.001 detection?

The T1078.001 detection is rated high severity with medium confidence.

What are common false positives for T1078.001?

Common false positives for T1078.001 include: Legitimate administrator accounts named 'Administrator' used by IT staff for maintenance tasks in environments without privileged access workstations (PAWs); Automated deployment or imaging systems that authenticate with the built-in Administrator account during machine provisioning (SCCM OSD, MDT); Legacy applications or services running under the built-in Guest or Administrator context that have not been migrated to service accounts.

T1078.001 Sumo Logic CSE · Sumo

Detect Default Accounts in Sumo Logic CSE

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those built into an OS (e.g., Guest or Administrator on Windows, root on Linux), preset on network devices/appliances, or created automatically by software integrations (e.g., vpxuser on ESXi when joined to vCenter). Adversaries exploit organizations that fail to disable, rename, or change the passwords of these accounts post-installation.

MITRE ATT&CK

Tactic: Defense Evasion Persistence Privilege Escalation Initial Access
Technique: T1078 Valid Accounts
Sub-technique: T1078.001 Default Accounts
Canonical reference: https://attack.mitre.org/techniques/T1078/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory=*windows/security* OR _sourceCategory=*windows/sysmon*)
| where EventCode in ("4624","4625","4648","1")
| eval TargetUser = if(!isNull(TargetUserName), TargetUserName, if(!isNull(User), User, ""))
| eval TargetUser_lower = toLowerCase(TargetUser)
| where (TargetUser_lower in ("administrator","guest","defaultaccount","defaultuser","admin","root","vpxuser","dcadmin","sysadmin","service","support","user","test","demo","operator","sa","netadmin"))
  OR (EventCode = "1" AND (
    matches(toLowerCase(CommandLine), "net user (defaultaccount|guest|administrator) /active:yes")
    OR matches(toLowerCase(CommandLine), "net localgroup administrators (guest|defaultaccount|administrator)")
  ))
| eval EventType = if(EventCode="4624","SuccessfulLogon",if(EventCode="4625","FailedLogon",if(EventCode="4648","ExplicitCredentialLogon",if(EventCode="1","ProcessCreation","Unknown"))))
| eval LogonTypeLabel = if(LogonType="2","Interactive",if(LogonType="3","Network",if(LogonType="7","Unlock",if(LogonType="10","RemoteInteractive",if(LogonType="4","Batch",if(LogonType="5","Service",LogonType))))))
| fields _messageTime, _sourceHost, EventCode, EventType, TargetUser_lower as TargetUser, LogonTypeLabel, IpAddress, WorkstationName, CommandLine
| sort by _messageTime desc

high severity high confidence

Sumo Logic query detecting Windows Security logon events (EventCode 4624, 4625, 4648) where the resolved target account name matches the default built-in account list, and Sysmon process creation events (EventCode 1) with command lines that activate or add default accounts to privileged groups. Uses nested if() for event-type and logon-type labeling and the matches() function for regex-based command-line inspection against both Security and Sysmon source categories.

Data Sources

Sumo Logic Windows Security Event Log source via Installed CollectorSumo Logic Sysmon source via Installed CollectorSumo Logic OpenTelemetry Collector with Windows Event Log receiver

Required Tables

_sourceCategory=*windows/security*_sourceCategory=*windows/sysmon*

False Positives & Tuning

Helpdesk and IT operations staff with documented break-glass procedures using the built-in Administrator account during outages or access recovery scenarios approved in ITSM.
Security scanning tools (Nessus, Qualys, Rapid7) using default credentials for authenticated scanning of internal assets during authorized and scheduled assessment windows.
Containerized or virtualized workloads using generic account names (admin, service, test) that are isolated, non-domain-joined, and explicitly permitted by application security policy.

Download portable Sigma rule (.yml)

Other platforms for T1078.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enable and Use Built-in DefaultAccount via PowerShell (Magic Hound TTP)
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net user DefaultAccount /active:yes'. Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=DefaultAccount. Windows Security Event ID 4725 (User Account Disabled) after cleanup. Security Event ID 4688 (process creation) if command-line auditing is enabled.
Test 2Enable Built-in Guest Account and Verify Access
Expected signal: Windows Security Event ID 4722 (User Account Enabled) with TargetUserName=Guest. Windows Security Event ID 4688 or Sysmon Event ID 1 with CommandLine 'net user Guest /active:yes'. Security Event ID 4625 if subsequent logon attempt is made. Event ID 4725 on cleanup.
Test 3Authenticate Using Built-in Administrator Account via Net Use (HyperStack-style IPC$ Access)
Expected signal: Windows Security Event ID 4648 (Logon using explicit credentials) with TargetUserName=Administrator and TargetServerName=127.0.0.1. Windows Security Event ID 4624 (logon type 3 - Network) or 4625 (failed logon) on the target host. Sysmon Event ID 1 with CommandLine 'net use \\127.0.0.1\IPC$'. Sysmon Event ID 3 (network connection) to port 445.
Test 4Simulate Default Service Account Logon via Scheduled Task
Expected signal: Windows Security Event ID 4698 (Scheduled Task Created) with task name 'DefaultAccountTest'. Windows Security Event ID 4624 (SYSTEM logon type 5) when task executes. Sysmon Event ID 1 for schtasks.exe and cmd.exe processes. Sysmon Event ID 11 (File Created) for the output file in TEMP. Security Event ID 4699 (Scheduled Task Deleted) on cleanup.

Last updated: 2026-04-13 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1078.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Default Accounts in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1078.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1078.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox